Security of Quantum Key Distribution Against All Collective Attacks 
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Security of quantum key distribution against sophisticated attacks is among the most important 
issues in quantum information theory. In this work we prove security against a very important class of 
attacks called collective attacks (under a compatible noise model) which use quantum memories and 
gates, and which are directed against the final key. Although attacks stronger than the collective 
attacks can exist in principle, no explicit example was found and it is conjectured that security 
against collective attacks implies also security against any attack. 
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a. Introduction Quantum cryptography is one of the 
most surprising consequences of processing information 
using quantum two-state systems (qubits) instead of clas- 
sical bits. Quantum key distribution was invented 14 
years ago , to provide a new type of solution to one of 
the most important cryptographic problems, the trans- 
mission of secret messages. 

For many years physicists and computer scientists have 
been trying to prove the security of various quantum key 
distribution schemes. Many particular "simple" cases 
where analyzed, such as the intercept-resend attacks and 
the individual particle attacks, for which there is a clear 
intuition that classical privacy amplification provides the 
desired security, but no explicit bound on the informa- 
tion available to an eavesdropper has been proven. The 
security in case of the general joint attacks which are 
using quantum gates and quantum memory and are di- 
rected against the final key was also considered in several 
works (see [^],[| and references there in). In this paper we 
complete the work started in [M^P] to conclude that the 
four-state scheme M for quantum key distribution is se- 
cure against any collective attack (an important subclass 
of the joint attacks) under a compatible error model. 

In the four-state scheme Alice sends to Bob a classical 
string of length n" using a quantum channel, by sending 
qubits; she sends either \0) z or |0>a, = (|0) 2 + \1) Z )/V2 
to encode a bit value 0, or she sends either \l) z or 
= (|0)z — |l)z)/v / 2 to encode a bit value 1. Alice 
and Bob are also connected by a classical channel which 
is insecure but unjammable. At a later stage Alice tells 
Bob (classically), regarding each qubit, whether she used 
the z basis or the x basis. If Bob has used the same basis 
for his measurement, they keep the bit (which is sup- 
posed to be the same as Alice's), so they are left with n' 
similar bits. Alice and Bob now estimate the error rate 
using some (n test ) test bits. If the estimated error-rate 
Ptest is less than some pre-agreed threshold p a iiowed, then 
the test succeeds and Alice and Bob obtain a final key 
from the remaining n-bit string (where n = n' — nt es t), 
by performing error correction and privacy amplification. 
They choose parities of k substrings for error-correction 
and parities of m substrings for privacy amplification. 
The parity of each of the k substrings is announced in 
order to correct the string, and the parities of the m sub- 



strings are kept secret, and used as the final key. We 
consider m = 1 in the following and leave the general 
case to a review paper. 

In the most general (so called "joint") attack, Eve can 
do whatever she likes (the most general unitary trans- 
formation using an ancila) to the qubits, and delay all 
her measurements till receiving all classical data. We re- 
strict ourself to "collective" attacks || where each qubit 
is attached to a separate probe (unentangled to the other 
probes), and the measurement is delayed, and is per- 
formed collectively on all probes, after all classical data 
is obtained. There are good reasons to believe that 
collective attacks are the strongest joint attacks (when 
n is large). Furthermore, no particular joint attack was 
shown to be stronger than collective attacks. In a collec- 
tive attack, after Alice sends n" qubits to Bob, each is 
attached to a separate probe by Eve. Then, the global 
state of the Eve-Bob system is pi ® . . . ® p n " where each 
Pi is a density operator on the space TC Ei <£> TL Bi where 
the spaces TC Ei and TL Bi belong respectively to Eve and 
Bob. 

b. Bounds on information We shall first fix some no- 
tations from information theory. Let B and X be random 
variables (describing the input and output of a channel). 
When the context is clear we write p(b) for p(B = b) and 
p(x) for p{X — x). The joint probability p{x,b) satisfies 

P( x ) = Y,beBP( x > b ) andp(6) = Y^xexP( x > b )- The con- 
ditional probability is denoted by Pb{x) = p(X =x\B = b) 
and p x (b) = p(B = b\X = x). It satisfies the Bayes 
formula pf,(x)p(b) = p{x,b) = p x {b)p{x). The mutual 
information between the input and the output proba- 
bility distributions, I(X;B) = — J2beB P( b )l°92P( b ) + 
J2xex P( x )I2beB Px( b ) lo 92Px(b), tells us the increase of 
knowledge about the input, if the output becomes known 
to us. 

For a binary input B with equal input probabilities 
I{B;X) = EsexPWatPxfO)), where I 2 (p) = 1 + 
p log 2 p+ ( 1 —p) log 2 ( 1 —p) . Distinguishing the input when 
the output is given, is then equivalent to distinguishing 
the two probability distributions Po(x) and pi{x). All the 
probability distributions in the expression of the mutual 
information can be calculated from po(x), p\{x), so we 
can define another function SD, Shannon Distinguisha- 
bility, SD(p (x),pi(x)) = I(B;X) (restricted to binary 
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input with equal probabilities). 

Suppose we are given a state (density matrix) p. The 
most general measurement giving a result x in some 
set X of possible outputs is given by a POVM in- 
dexed by X, i.e. a family £ = (E x ) x£ x of Hermitian 
operators E x with non negative eigenvalues such that 
J2xex E x = TL. The probability of occurrence of x given 
the state p is then equal to p £ (x) = Tr(pE x ). Given 
two equally likely states po and pi, and a measurement 
procedure £, let p £ (x) = Tr(ptE x ); for any given £ 
let SD £ (po, pi) = SD(p^(x),pf(x)). The maximum in- 
formation we can get regarding the state we are fac- 
ing is given by the optimal Shannon Distinguishability 
SD(po,pi) = sup £ [SD (poiPi)] where the supremum is 
taken over all POVM's on all possible sets X. 

Unfortunately, there is no known analytic formula giv- 
ing optimal mutual information. In what follows, we will 
present two bounds which are simple to state and to de- 
rive, and which will be found very useful. 
Theorem 1. — If po and p\ are two density matrices de- 
fined on some space Hi (8 H 2 and pi = Tr 2 (pi) are the 
density matrices on Hi obtained by tracing-out H 2 , then, 

SD(p ,pi) = SD(Tr 2 (p ),Tr 2 (pi)) < SD(p ,pi) . (1) 

Proof. If £ = (E x ) xex is a POVM on Hi 
then £ <g> t H2 = (E x <8> ln 2 )xex is a POVM 
on Hi ® H 2 and Tn(Tr 2 (pi)E x ) = Tr{p t {E x ® 
l n2 )). Consequently SD £ {Tr 2 (p ), Tr 2 (pi)) = 
g£)S®ln 2 (pQ^p^. By definition of the optimization pro- 
cess sup £ [SD £ ^(p ,pi)} < sup~[SD £ {p ,pi)], and 
thus, SD(Tr 2 (p ),Tr 2 (pi)) < SD(p ,p~i). The p b will 
be called a lift-up of p p , and it is known as purification if 
it is a pure state. 

This theorem (proven independently in actually 
states that tracing out cannot increase information. It 
provides a useful upper bound on the mutual informa- 
tion that can be obtained about mixed states p,;, if we 
can find appropriate states pi . A similar idea which says 
that mixing cannot improve information was used in 
to obtain a more limited security result. 

For any two density matrices po and pi we can de- 
fine Tr\po — pi | the trace- norm of the Hermitian operator 
Po — pi- I n our context where we only consider Hermitian 
matrices, Tr|A| is nothing but the sum of the absolute 
values of the eigenvalues of A. It is relatively easy to cal- 
culate the trace- norm of po — Pi- Therefore, the following 
upper bound is very important. 

Theorem 2. — For any two density matrices po and pi, 

SD(p ,pi)<~Tr\p Q -pi\ . (2) 

Proof. — In order to prove this equation (see also j7| ) let 
us first fix some measurement procedure £ = (E x ) xe x- 
Then SD £ (p , P i) = I(B;X) = £xexK^(Px(0)), 
where (from the Bayes formula) p x (0) = p(B = 



0)p(X = x\B = Q)/p(x) = {l/2)p £ (x)/p{x). Knowing 
that I 2 {r) < |2r — 1| for < r < 1 we conclude 
that SD £ { Po ,pi) < E x exP( x )\ 2 Px(0) ~ 1|- Assign- 
ing p x (0) into the last expression [and using p(x) = 
(p £ (x) + pf(x))/2 in the following equality], we ob- 
tain SD £ ( Po ,pi) < J2 xex p(x)\2[p £ (x)/2p(x)] - 1| = 

\ J2 xe x \Po( x ) - Pi( x )\- Now > since Po - Pi is Hermi- 
tian, it can be diagonalized and consequently written in 
the form po — pi = E where \j) is an orthonormal 

basis and Tr\p - pi| = £ Clearly Tr(\j)(j\E x ) = 
(j\E x \j) and so p £ (x) - pf (x) = Tr{(p - pi)E x ) = 
^Zj^j{j\E x \j). Using the last expression for SD and 
using (j\E x \j) > (since E x is positive definite), we can 
now deduce SD £ (p Q , Pl ) < \ £\ |A, | J2 xeX (j\E x \j) = 
7}Tr\po — pi|. Since £ is arbitrary, we choose the one 
which optimizes SD and this concludes the proof. 

c. Error versus information Let us assume that Eve 
is powerful enough to control the natural noise. With- 
out loss of generality, we assume that Eve's probes are 
in some arbitrary but fixed initial (tensor product) pure 
state, and that each probe is in a state \E). In the col- 
lective attack, the state \E) ® \b) is subjected to Eve's 
unitary transformation U that changes the state \h) sent 
by Alice to the final global state 

\0) Z ^\E^ )\0) Z + \E^)\1) Z = \^) (3a) 
|1> 3 ^ ]^, >|0>. + |^7f >x )|l> z = |^f) (3b) 

where the \Efj) are Eve's non normalized states. Im- 
plicitly, this description corresponds to restricting natu- 
ral noise to follow the spirit of the collective attacks. It 
is reasonable to suspect that more general noise models 
would not be to Eve's advantage. 

Bob's error probability in the z basis [measuring |0) z 
if |l) z was sent etc.] is p z e = (1/2) [(^o.il-^o.i) + 
(El \El )]. Alice can also use the alternate basis x, 
and then the transformation U can also be expressed 
in the x basis (replacing everywhere z by x) to yield 
p% = {l/2)[{Eg tl \E§ tl ) + (£? >0 |£f,o>]- Since Alice uses 
both bases with the same probability, Bob's overall prob- 
ability of error is p e — \(p% + p z e ) and so p% < 2p e and 
Pe — 2p e - Due to linearity of the transformation U we 
obtain \E? Kl ) = \[{\E% fi ) - 1^)) + (|£f, ) - \E^))] and 
\Ef, ) = \[{\El Q ) - \Eli)) - (\Ef i0 ) - \E$ t} ))]. If we ex- 
pand Pg in terms of the vectors in the z basis we get p x e = 
(1/4) [(ES i0 - Ef tl \ES fi - Eli) + (Ef i0 - E§ A \El - E^)}. 
Since U preserves inner products, the states \4>q) and \(f>\ ) 
have norm 1. Therefore, (iuol^oV + ^o.il^o.i) = 1 and 
(^l.ol^i.o) + (^l.il^i.i) = i> which we use to S et 

Pe - ^[1 - Re{{E% i0 \Ef tl ) + (EtvlE^)}] . (4) 

Eve's view is obtained by tracing-out Bob from the 
states 4>l (if the z basis was used): Po(E) = \Eq ) (E z | + 
\E^)(E§ tl \ and p\(E) = \Ef i0 )(E} fi \ + ^(E^. 
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Many other pure states (purifications) also yield the same 
reduced density matrices for Eve. In particular 

l^) = Ko)|0), + 1^)11), (5a) 
W) = l^,i>|Q)« + |£f,o)|l)* (5b) 

will prove useful since the angle between them is zero if 
there is no disturbance. While these states have only 
virtual existence, they will be used in Theorem 1 to 
yield the desired bound, since Eve's states are the trace- 
out of these pure states. They live in some Hilbert 
space Tt E <$ H 2 , with Ti 2 two-dimensional Hilbert space. 
They are normalized, and consequently KV'olV'i)! = 
cos(2a z ) for some angle < a z < ir/4. Moreover, 
there is some phase angle 9 such that e 10 {tp^^l ) — 
\{%\^t)\. Let |*§) = | Vo> and l*f) = 0nc 
can now find two (normalized) orthogonal states |0^) 
and (spanning a two dimensional subspacc H of 

TL E ®TL 2 ) such that |*g) = cos(a 2 )|0^)+sin(a 2 )|l^) and 
=cos(a«)|0^)-sin(a,)|l^). From 1 - 2 sin 2 (a z ) = 

{nM) = = K^ol^.i) + ( E U E li)\ we de- 

duce that Re{{El Q \Ef A ) + {El Q \E§ tl )} < l-2sin 2 (a z ). 
Using (||) we get that Eve's state is a partial trace of one 
of the pure states \iff%) with angle satisfying sin(a z ) < 
(pS)V2. 

Everything that has been said about ) and p% holds 
by symmetry for replacing the bases, yielding sin(aa;) < 
(pf) 1 / 2 . Using p x < 2p e and p% < 2p e , we obtain 
sin(az) < (^Ipf^-I 2 and sin(a x ) < (2p e ) 1 / 2 . In the se- 
quel we will simply drop the indices x and z, taking as a 
convention that we are dealing with the actual basis that 
Alice and Bob agreed upon (and which become known 
to Eve only after she retransmitted the particle towards 
Bob). 

d. The state in Eve's hands We now look at the n' 
remaining qubits after Alice and Bob discard those bits 
where the bases did not agree. Some bits are used to 
verify that p tes t < P 'allowed, to be left with n-bit string x. 
From the previous paragraph, we know that after retrans- 
mitting the i-th bit (namely, x{) to Bob, the purification 
of Eve's state is \^ Xi ) =003(014) |0)j + (— l) Xl sin(aj) 
where Xi is either or 1 (1 < i < n) according to the 
bit which Alice sent to Bob, and \b)i would be (fr-^) 
in the notations of the previous paragraph. Moreover 
sin(o!j) < (2k) 1 / 2 , where pi is Bob's probability of er- 
ror on the i-th bit (averaged over the four possible input 
states), which is completely determined by Eve's trans- 
formation. The global state of Eve's probes is, thanks to 
the properties of the trace, a partial trace of |\& x ), the 
tensor product of the l^xj)- 

To expand |\& x ) we first need some notations. Boldface 
letters like j, x are used to denote strings in {0, 1}" that 
are interpreted as n-vectors on the binary field. Boldface 
letters are also used in kets, with the following under- 
standing: if j = ji . . . j n is concatenation of n bits then 
|j) = ■ ■ ■ \jn)n where \b)i are the basis vectors of 



the purifications of Eve's i'th qubit. The state |^ x ) = 
0™ =1 [(cos(a;) 1 0) i + (— l) Xi sin(a'i) can be written 

as |*x) = Ej G {o,i}» rf j(- 1 ) x j where d i = d h ■ ••dj n 
with dj i = cos a; if j j = and dj i = sin a; if ji = 1, and 
where x • j is by definition x • j = Y17=o Xi ^ i mod 2 ■ For 
instance, |\&oi) = cosai cosa2|00) — cosai sina2|01) + 
sinai cos 02! 10) — sinai sina2|ll). We let j © k be the 
string obtained by adding j and k bit by bit with the un- 
derstanding that lffil = 0. Then [using (~l) x j (-l) x k = 
(— l) x 'U fflk )] ) the lift-up of Eve's density matrix is 

j£ = |**X**l = Yl rfA(-l) x ' (jfflk) |j)(k| , (6) 
j,ke{o,i}" 

for any string x sent by Alice. 

e. The parity bit In order to encode one key-bit b (0 
or 1) using a substring of the n bits she sent, Alice pro- 
ceeds as follows: she chooses some string v S {0,1}™ to 
define the relevant (privacy amplification) substring, and 
announces it to Bob; Bob understands that the key-bit 
sent is b = x • v, and can calculate the final bit b. Eve 
now knows v (but not x) and has to guess b = x • v. 
Only strings x such that x • v = b shall contribute to 
Pl = 2-" +1 E {x | x .v= b} l**X*x|. To !earn b Eve needs 
to distinguish between the two density matrices (in her 
hands) p^ for which p^ are lift-ups. For convenience let 
us define A v = p^ — p\, and in the following we evaluate 
the trace-norm of A v . 

Using (-l) fc = (-l) x v and (§) we get A v = (-1)% + 

(-l)Vl = 2-«+ 1 E j . k rfjrfkE x (-l) x - (jffikffiv) Jj)(k| • We 

now simplify the preceding sum using a technique similar 

to the one of S. Ifj©k©v^0, there is some string y 

such that (j © k © v) • y = 1. If we let x' = x © y then 
(_i)x'.(j ffl k(Bv) + (.^x-aekev) _ o and gince x ^ x , ( be _ 

cause y ^0) all the coefficients of |j)(k| cancel in pairs. 
If jffikffiv^O, then (-i)x-(jekev) = 1 for all x and 

since there are 2™ such strings, we get 

A v = 2 d 'A |i)0l=2 E d J d jev |j)(j©v|. (7) 
i©j=v je{o,i}" 

If i j = v then clearly j © i = v. Therefore, A v is a 
sum of 2™ _1 Hermitian matrices + dj(2i|j)(i| = 

+ |j)(i|]. For each of them the Trace-norm is 
2didj = didj + djdi. Using this result and the triangle 
inequality (which is satisfied by any norm) we obtain 

7Y|A V | <2 ]T d l d J = 2j2d i d Mv . (8) 
iej=v j 

If Vi, the i th bit of v equals 1, then the product of the 
i th factor of dj by the i th bit of d v ©j is cosai sin a;, since 
either [dj t — cosai and dj i § Vi — sinai] or alternatively 
[dji = sinai and dj t ^ Vi = cosai], since ji © 1 = not(jj). 
The contribution of such terms is (sin2ai) since the sum 
is over all j so the term rfjc?j©v contributes twice. If V{, 
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the i th bit of v equals 0, then the product of the i th fac- 
tor of dj by the i th bit of d v ej i s either cos 2 on or sin 2 en. 
When summing over all j, such terms sum up to yield 1. 

As result the sum reduces to ^ djd^ v = 
n„ i= i sin(2aj) n„ <= o 1 = IL 4 =i sin(2a,). If we look at 
v as the characteristic function of a set also denoted v, 
one can write i£v instead of Vi — 1 and 



Tr\A v \ < 2jjsin(2ai) 



(9) 



Due to (|) and (|) we get SD{p%,pX) < SD{pl,p\) < 
Tr\A v \ < 2 Jligv sia(2ai), if the error correction data is 
unknown to Eve. 

/. Error correction For error correction, a number of 
linear constraints are imposed on the bits of x. More pre- 
cisely, Alice chooses a system E = {vi • x = bi, v 2 ■ x = 
&2, ■ ■ ■ , v r • x = b r } of r linear equations such that the 
r + 1 strings v, Vi, . . . , v r are linearly independent and 
each bi is either or 1. We write E(x) to mean that x 
satisfies the system (that is, x is a code word). 

We can now define A E,V as in the previous sec- 
tion with p^ ,v an equal mixture of the states |^ r x )(^ r x | 
such that x satisfies the system {x ■ v = b} U E. 
This system has 2™~ r_1 solutions and so A E,V = 

2- n + r+1 E j , k ¥kE E (x)(-l) X ' (iek9v) lj)(k|- As in the 
previous section, the expression for the Trace-norm can 
be simplified. For any s 6 {0, l} r let v s denote the 
element X)i=i s « v «- If jffikOv = v s and x is a so- 
lution of E, then the exponent x • (j © k © v) in the 
above expression for A E,V reduces to (J2l=i s i v i) ' x = 
J2i=i s i v i ' x = 12i=i s ibi = s ■ b. This value is indepen- 
dent of x and so the coefficient of |j) (k| = |j)(k © v v s | 
is 2<ij<ikevevs( — l) s b where b is the string (6i)i<i< r of 
the parity bits in the equations of E. If j © k ® v is not in 
the span of {vi, . . . , v r } then there is a solution y to the 
system {(j © k © v) • y = 1, vi • y = 0, . . . , v r • y = Q}. 
For any x solution of E, let x' denote x © y. Clearly x' is 
also a solution of E and (_i)x-(j©k©v) + (_ 1 )x'-(j©k©v) = 

0, and consequently the coefficient of |j)(k| is 0. There- 
fore 



A E < v = 2]Td j d j evev s (-ir b |j)(j©v. 



(10) 



js 



generalizing Eq. (Q) to contain the error correction data. 

Consequently A E < V = E se{ o,i}" (-l)""^' " fi*" )■ 
As before we define A vffiVs for the terms in the paren- 
thesis, and these terms are given by Eq. (H) [and 
their Trace-norm is given by Eqs. (ph and (g)] once 
v there is replaced by vffiv s . This gives A E:V = 
Ese{o i}-'(- 1 ) s ' b ( AveVa ) ; an d due to the triangle in- 
equality Tr|A E < v | < EseRip 7>|A vffiVs |. Using the set 
notation and Eq. (^) we finally get 



Tr\A 



E. 



- 2 yi n sm ( 2 «o ■ (ii) 

se{o,i} r ie(vev s ) 



Due Jo j|) and @j, 
SD{pr,pr)<Tr\A^ 



we get SD(pf v ,pf' v ) < 



<2£ s 



sm(2a;) 



^se{o,i}'- iiie(vev a . 
when the error correction data is known to Eve. Us- 
ing sin(2ai) < 2sinai < (8pi) x / 2 we finally get 
SD(pf*,p?> v ) < 2E se |o,i>4n ie (vev.)(8^)] 1/2 . " 



Let the "Hamming weight" h s (for each s) be the num- 
ber of one's in v v s [the number of factors in the prod- 
uct Ili€(v©v.)]- Also let P» = Eie(v©v.jft]/^ be the 
average error in any relevant subset s. The geometrical 

mean of the pi contributing to p s is always less than their 
arithmetical mean so [Ilie(vev 8 ) (%0] 1/2 < [8p s ]" s/2 , 
and thus SD(pf\pf v ) < 2 Rl} 48p s ]"*/ 2 . 

Given that the test is passed ptest < Paiiowed statisti- 
cal analysis promise us that each of the p s is bounded. 
Combining two laws of large numbers of Hoeffding ||, 
Theorem 2 (sums of independent random variables) and 
its extension in section 6 (sampling from a finite pop- 
ulation), we are promised that p n /, the average pi of 
all n' relevant bits satisfies Prob[p„< > ptest + 2(5] < 
2 e ~ 2n tc S tS ( s i n ce the tested bits are picked at ran- 
dom). Once p n i is bounded we can bound p s as fol- 
lows: let n' be even [throw one bit if needed (before 
choosing the bits for the test)], and let Alice and Bob 
use ntest = n'/2 bits for the test. We then have 
Ps < in 1 /n 8 )pn' ■ Thus, Eve's information is generously 
bounded by 2£ Be{0jl}r [(8n7n.)(p tea t + 28)]^/ 2 \ ex- 
cept with a probability of pi uc k = 2e~ 2ntestS . Recall 
that ntest = n = n'/2. Assuming (generously again) 
that in such a case of having luck Eve's information is 
maximal (one bit) her total information is bounded by 
2Ese{o,i}A(^ri/h s )(p test + 2S)}^/^+2e~ 2n52 Joi any 
8. Let an = h = min s n s . Then, SD(p^' v , pf' v ) < 
2 r+1 [(16/a) (ptest + 28)] an l 2 + 2e~ 2nS2 . Entering into cod- 
ing theory is beyond our aim in this letter and is left for 
the full paper: for error rates below 2%, many codes al- 
low us to choose the parameters n, r, a and S such that 
Eve's information is negligible [e.g., 2~ 100 of a bit]. 
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